CodingBlocks
PagerDuty’s Security Training for Engineers! Part Deux
We continue our discussion of PagerDuty’s Security Training presentation while Michael buys a vowel, Joe has some buffer, and Allen hits everything he doesn’t aim for.
The full show notes for this episode are available at https://www.codingblocks.net/episode175.
Sponsors
- Datadog – Sign up today for a free 14 day trial and get a free Datadog t-shirt after creating your first dashboard.
- Linode – Sign up for $100 in free credit and simplify your infrastructure with Linode’s Linux virtual machines.
- Shortcut – Project management has never been easier. Check out how Shortcut is project management without all the management.
Survey Says
Do stick with your New Year's resolutions?
- For the first couple weeks.
- I'm pretty good until Spring. -Ish.
- I'm like a machine. Resolutions are rules that are not meant to be broken.
- Wait, those things are to be taken seriously? They're broken by noon New Years Day.
- What are resolutions?
News
- Thanks for the reviews!
- iTunes: aodiogo
- Game Ja-Ja-Ja-Jamuary is coming up, sign up is open now! (itch.io)
Encryption
- OWASP has the more generic “Cryptographic Failures” at #2, up from #3 in 2017.
- PagerDuty defines encryption as encoding information in such a way that only authorized readers can access it.
- Note that this is an informal definition that speaks to the most common use of the word.
- Encryption is really, really difficult to get right. There are people that spend their whole lives thinking about encryption, and breaking encryption. You may think you’re a genius by coming up with a non-standard implementation, but unfortunately the attackers are really sophisticated and this strategy has shown to fail over and over.
- There are different types of encryption:
- Symmetric/Asymmetric – refers to whether the keys for reading and writing the encrypted data are the same.
- Block Cipher – Lets you encrypt and decrypt the data in whole chunks. You need to have an entire block to encrypt or decrypt the whole block at once.
- Public/Private Key – A kind of asymmetric encryption intended for situations where you want groups to be able to share one of the keys. For example, you can publish a public PGP key and then people can use that to send you a message. You keep the private key private, so you’re the only entity that can read the message.
- Stream Cipher – Encode “on the fly”, think about HTTPS, great for streaming. You can start reading before you have the entire message. Great for situations where performance is important, or you might miss data.
Encryption in Transit
- Also known by other names such as data in motion.
- Designed to protect against entities that can snoop (or manipulate!) our communications.
- You can do this with HTTPS, TLS, IPsec.
- Perfect Forward Secrecy is the key to protecting past communications, by generating a new key for a single session so that compromised keys only affect the specific session they were used for.
- From Wikipedia “In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised.” (Wikipedia)
Encryption at Rest
- Simply means that data is encrypted where it’s stored.
- An example of this is full disk encryption on laptops and desktops. The entire drive is encrypted so if someone were to steal the drive, it’d essentially be useless without the keys to decrypt the data on the drive.
- For PagerDuty, and many other companies, the most important information to protect is customer data, just as important as your own passwords.
- PagerDuty’s data classifications:
- General data – This is anything available to the public.
- Business data – Includes operating data for the business, such as payroll, employee info, etc. This type of data is expected to be encrypted in transit and at rest.
- Customer data – This is data provided to the company by the customer and is expected to be encrypted in transit and at rest.
- Customer data includes controls such as authentication, access control, storage, auditing, encryption, and destruction.
- Business data has similar controls except without the auditing.
- PagerDuty called out when using cloud systems, make sure you’re enabling the encryption on the various services, like S3, GCS, Blob storage, etc.
- They mentioned it’s just a checkbox, but in reality you’re probably using scripts, templates, etc. So make sure you know the configurations to include to enable encryption.
- Another interesting thing they do at PagerDuty: they get alerted when a resource is created without encryption enabled.
- What about third parties you use? Should they encrypt as well? YES!!!
- Perform vendor risk assessments prior to using the vendor. If they don’t pass the security assessment, use a different vendor.
Secret Management
- Q. What is it? A. Protecting and auditing access to secrets.
- Auditing so that you can see when someone is using your secrets that shouldn’t, as well as keep track of systems that should and are using secrets.
- Hashicorp Vault has a great video to learn about the challenges of managing secrets. (YouTube)
- What are secrets?
- Secrets are sensitive things such as tokens, keys, passwords, user names, many others.
- Secrets should NOT be stored in source control.
- Although it seems to happen all the time, be it on purpose, by accident, etc.
- Anyone with access to the code can now access the secrets.
- PagerDuty uses Vault. Vault:
- Securely stores secrets,
- Provides audit access to those secrets, and
- Provides mechanisms to rotate the secrets if/when necessary.
- Don’t hardcode or come up with crazy ways to get secrets into your applications.
- Secrets should never be shared, i.e. if two people need access to a system, they should have their own secrets to access that system.
- Or maybe you have a “jump” server that has access to an external system, and users have access to the jump server.
- NEVER share passwords over insecure channels. This can include channels such as:
- Slack,
- Email,
- SMS,
- But this is not an exhaustive list.
- If you do accidentally post a secret in a chat or an insecure channel, you should:
- Let the security team know immediately (you have a security team right?!), and
- Find out how to rotate the secret and do it.
- Never allow a secret to be logged!
- This can be especially egregious if you’re logging customer credentials you don’t control.
- Be sure you are sanitizing your log data before you log.
Resources we Like
- For Engineers – PagerDuty Security Training (sudo.PagerDuty.com)
- For Everyone – PagerDuty Security Training (sudo.PagerDuty.com)
- Security Now (TWiT.tv)
- Have I Been Pwned (HaveIBeenPwned.com)
- Forward secrecy (Wikipedia)
- What is Sign in with Apple? (support.apple.com)
- What is Hide My Email? (support.apple.com)
- Introduction to HashiCorp Vault with Armon Dadgar (YouTube)
- Encryption (NetworkSorcery.com)
- OWASP Guide to Cryptography (OWASP.org)
- Infrastructure Secret Management Software Overview (GitHub)
Tip of the Week
- Hashicorp Vault is a tool for managing secrets, but did you know they have a ton of plugins? Take a look! (VaultProject.io)
- Unity has tools built in for common game functionality, it’s worth taking a few minutes to google for something before you start typing. Don’t worry, there is still plenty of code to write, but these tools improve the quality and consistency of your game.
- You can use animation clips to create advanced character animations, but it’s also good for simple tweens and motions that need to happen once, or in a loop. No need for “Rotator.cs” type classes that you see in a lot of Unity tutorials. (docs.unity3d.com)
- NavMeshes are an efficient ways of handling pathfinding, which is an important piece of many games. You can learn the basics in just a few minutes and accomplish some amazing things. (docs.unity3d.com)
- GoFullPage lets you take a screenshot of a whole webpage, bada bing, bada boom. (chrome.google.com, GoFullPage.com)